<?php

$file = $_GET["file"];
$name = $_GET["name"];
if (is_null($file)) die("No file requested");

$file = urldecode($file);
$name = urldecode($name);

if (!file_exists($file)) die("File not found!");

// Security!
$allowedDirectories = array(
	"excel"
);
$realPath = realpath($file);
$basePath = realpath(".");
if (strpos($realPath, $basePath) !== 0) die("Off limits!!!"); 
$relativePath = substr($realPath, strlen($basePath)+1);
$dir = dirname($relativePath);
if (!in_array($dir, $allowedDirectories)) die("Off limits!!"); 

// Read and send file to browser
header('Content-type: application/ms-excel; charset=iso-8859-1');
header('Content-Disposition: attachment; filename="'.$name.'"');
readfile($file);
?>